As a well-known privacy activist and founder of one of Europe’s most influential privacy enforcement NGOs, Austrian lawyer Max Schrems seems surprisingly sympathetic to companies that are not complying with the General Data Protection Regulation, commonly known as GDPR—Europe’s trailblazing 2018 privacy law.
“If you purely look at it from a business perspective, noncompliance right now pays off,” he told Law.com International.
What’s more, if he were a corporate lawyer, he would probably even advise companies not to comply with GDPR in some cases.
The activist, one of the most public faces in the fight for privacy, is at once feared and revered—known for successful campaigns against Facebook and for turning the world on its head with lawsuits that brought down a data-transfer mechanism used by thousands of companies.
But he understands that the size of the investment needed to become compliant—plus being compliant while your competitors are not—carry a financial cost. If the price of becoming compliant is €1 million, and the possible fine for noncompliance is only €5,000 or €10,000, while the likeliness of being fined at all is one-in-a-million, companies have little incentive to comply with privacy laws, he says.
But Schrems isn’t a corporate lawyer. He is the founder, honorary chairman and the face of None of Your Business (NOYB)—an Austria-based privacy NGO that has managed to strike down an EU-U.S. data transfer agreement on privacy grounds—twice, litigating all the way to Europe’s highest court. The cases have become known as Schrems I and Schrems II.
Schrems says the current lack of enforcement stems from the fact that most data protection authorities across Europe are under-resourced and understaffed, sometimes for political reasons. Countries deliberately skimp on the resources their data protection authorities need or appoint an enforcement regulator they know will take a passive approach, he said, citing Ireland as one example. “That’s not a broad phenomenon,” he said. “But in some member states, we do have that problem.”
The biggest issue, however, is a sheer lack of resourcefulness, Schrems says. Local privacy enforcers would be able to issue many more fines if they would automate aspects of their enforcement procedures.
“You’ve got to think a little bit like a startup—how can we scale that? How can we use the resources well? And so on.”
But they don’t do this. Instead, regulators carry out many enforcement procedures manually.
“We’re talking about digital technology, but the procedures are run like in the 18th century,” Schrems said.
The result has been that organizations like NOYB can bring complaint after complaint against companies that violate GDPR, filing them with national data protection authorities. But few of those complaints result in a decision by those privacy enforcers, making the odds very low that a noncompliant company will be sanctioned.
“In Ireland, I can tell you, 99.96% of cases don’t get a decision,” Schrems said. “It’s a bit like having a fundamental right to vote, but 99% of the time there’s just no voting booth.”
It’s why Schrems has high hopes for the collective redress mechanism that EU member countries will have to implement into their national laws by the end of 2022, making it easier for consumers to file class action-type lawsuits across the European Union. The directive is expected to result in a wave of class actions—especially revolving around privacy.
The new framework means that an organization like NOYB won’t have to file a complaint with a local data protection enforcer, wait for a decision that may take several years and then appeal that decision before a court. Instead, they will be able to take a company that doesn’t comply with GDPR straight to court.
GDPR, Four Years Later
Four years after its introduction, a lot of GDPR decisions continue to be overturned in local courts. In Belgium, 60% to 80% of the local data enforcer’s decisions are successfully challenged. But according to Schrems, there are good reasons for those high reversal rates.
Some data protection authorities pick their staff “off the street”—they are not trained lawyers and have no prior GPDR expertise, he noted. “With all good intentions … I’m not blaming anybody; but the reality is you’re going to have a high overturn rate.”
Some decisions also crumble on appeal for reasons that have nothing to do with the correct application of the law, he says.
“Certain DPAs (data protection authorities) have courts above them that don’t believe in the GDPR and overturn anything for any reason, he said. “We have a couple of German states where we know that is a problem.”
In addition, the standard of review also differs across the continent, with Irish courts more hands-off, for instance, and Austrian courts very strict in their reviews, he said.
A lot of criticisms have been lobbed at Europe’s seminal privacy law since it took effect in 2018. Schrems has heard them all: there are too many enforcement disparities; companies are filing GDPR complaints to get back at competitors; there is too much legal uncertainty.
But Schrems dismisses them all. The only criticism he’s heard that he finds fair has come from small companies, which need to meet the same privacy bar as far larger companies with more resources. “There were a lot of good arguments saying, ‘Let’s have Tier A, Tier B and Tier C—like a 1-2-3 system [for] large companies, medium and small ones” under GDPR, he said.
Instead, a one-size-fits-all approach was adopted and, according to Schrems, large companies are squarely to blame for that.
“The lobbying in Brussels was dominated by the big guys and not by the average company that now has to apply GDPR,” he said, adding that large companies realized that they would have faced tougher rules under a tiered approach. “So they [tried] to have one average law for everybody, which is now too much for really small companies.”
A Culture of Compliance
According to Schrems, persuading large tech companies to uphold Europe’s tough privacy law will take more large fines like those slapped on Amazon (€746 million) and WhatsApp (€225 million). But the way to make the average company comply with GDPR, and to build a general culture of compliance, is to impose many more small, €5,000-ish fines for infractions. When a company that violates GDPR becomes much more likely to be sanctioned, statistically speaking, noncompliance no longer makes business sense.
But minds will also have to change, Schrems says. Companies, their lawyers, and even some local data privacy enforcers do not see noncompliance with privacy rules as problematic. And though this cultural acceptance of noncompliance can be seen on both sides of the Atlantic, Schrems believes the problem is even bigger in Silicon Valley.
“That whole area has issues with compliance, I guess. But in the privacy realm, it’s extreme,” he said.
In Schrems’ view, the reason for this is obvious: When companies break privacy rules, they seldom face a strong opponent. But in most other areas of the law, that is not the case. For example, when rules governing investor protections or copyright are violated, companies risk running up against parties who will take them to court.
“But in the privacy field, it’s only individuals—and they’re usually not represented,” he said, noting that his organization is the exception to that rule. Under GDPR, consumers can appoint NGOs to represent them before a data protection authority or in court in individual cases.
Although Schrems is doubtful that the U.S. will adopt a “tough, serious” privacy law, he does expect federal U.S. privacy legislation to be adopted as more states adopt privacy laws at the state level. And Schrems worries that this will result in a growing lack of “interoperability” between privacy laws at the global level, particularly since U.S. lawmakers are pushing for “an alternative to GDPR”—in other words, an entirely different system.
“[You’ll have] a federal law in the U.S. while most of the world has more of a GDPR-type kind of law,” he said. “Then you really get to a point where it’s not manageable anymore for a company.”
And that’s true not just for privacy, he said. The laissez-faire approach lawmakers have taken for a long time regarding all things digital has brought us to the current free-for-all.
“Now, everybody tries to regulate all the online things at the same time and what we’re going to have, as a logical consequence from that, is conflicts of laws.”
Schrems’ hope is that the world will eventually move to a two-system order—with democratic countries on the one hand and all other countries on the other.
“We’ll have to split stuff to a certain extent and say, ‘OK, that data doesn’t go to China; that doesn’t go to Russia; you can’t use that platform, which is controlled by the FSB,’” he said, referring to the Federal Security Service, Russia’s successor to the KGB.
Asked whether Big Tech companies now understand the importance of complying with European privacy laws, Schrems was skeptical.
“There is this ‘we-rule-the-world” attitude that I think comes into play here,” he said, adding that European countries also put up with this much of the time. “We wouldn’t accept that from any other player but the U.S.”
After the Cambridge Analytica scandal, however, which exposed the fact that personal data belonging to millions of Facebook users was collected without their consent by a consulting firm, primarily for political purposes, a lot of people started to “get it,” Schrems said. Before, the scandal, the general attitude was, “you’re all so backward because you try to preserve privacy, which just doesn’t exist anymore,” he said.
After the Cambridge Analytica incident, reported by The Observer and The New York Times, Schrems was hailed as a mastermind who had seen the writing on the wall. He is convinced that most people working for Big Tech companies today understand and want to comply with privacy laws. It is Big Tech’s senior management that isn’t there yet, he says.
He notes that many of the privacy experts who apply to join NYOB are former corporate data protection officials who have left their former employers out of frustration at their inability to get management to listen. They have come to understand that change will occur only through general deterrence and proper enforcement.
“The people who work in these fields gradually get it,” he said.